Editor's note: This post was originally published on January 18, 2024 and has been revised for clarity and comprehensiveness.
The Federal Trade Commission (FTC) regulates the automobile industry to protect consumers from unfair and deceptive business practices.
However, following yet another set of guidelines from another organization can be overwhelming.
Luckily, the FTC Safeguards Rule is designed to be streamlined and easy to follow for all businesses under its jurisdiction.
As a managed security service Provider (MSSP), Intelligent Technical Solutions (ITS) has over 20 years of experience in ensuring our clients covered under the FTC regulations have up-to-par cybersecurity. In this article, we’ll break down:
- What is the FTC Safeguards Rule?
- Why was the rule amended?
- Why should auto dealers care?
- How can you gauge your FTC compliance?
By the end of this article, you’ll know the definition of the FTC Safeguards Rule and how to prepare your business for FTC auditing.
What is the FTC Safeguards Rule?
.png?width=778&height=260&name=Smaller%20Blog%20Template%20(12).png)
The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA) and requires financial institutions—including auto dealerships that offer financing or leasing—to protect customer information.
While the rule has been in effect since 2003, recent amendments in 2023 – and implemented in 2024 – have expanded its scope and enforcement.
Any dealership that collects and stores personal financial data (such as credit applications) is legally obligated to implement a written information security program (WISP) and meet specific safeguards.
Why was the FTC Safeguards Rule amended?
The FTC updated the Safeguards Rule in response to a growing number of businesses failing to meet minimum data protection standards.
Cyberattacks and data breaches have put millions of consumers at risk, prompting stricter regulations.
According to Sean Harris, Chief Security Officer at ITS, “It’s legal liability that we’re dealing with.” He explains that today, compliance frameworks like FTC Safeguards are being used by insurance companies and legal teams to determine whether businesses were following best practices when an incident occurs.
“More than 50% of the insurance claims are being denied because companies aren’t meeting certain standards,” Harris says. “If you’re not following the FTC Safeguards Rule, that becomes the reason why they [insurers] won’t pay out.”
Why should auto dealers care?
If your dealership handles financing or leasing, you're required to comply with the amended FTC Safeguards Rule. Non-compliance can result in fines of up to $46,517 per violation, reputational damage, and even customer lawsuits in the event of a breach.
You must now:
- Maintain a Written Information Security Program (WISP)
- Designate a qualified individual to oversee your cybersecurity efforts
- Conduct regular cybersecurity risk assessments
- Train your staff
- Monitor and assess third-party vendors
Harris notes that even without an official FTC audit, the risks are real. “You may not see an auditor come, but when ransomware hits, they [your clients] will ask, ‘Show me what your best [cybersecurity defense] is,’ and compare that to the framework — FTC Safeguards.”
“One in five breaches or incidents now results in a lawsuit,” Harris warns. “The FTC Rule is no longer just about compliance — it’s about proving you took reasonable, necessary steps to protect your business.”
How can you gauge your FTC compliance?
Use these five questions to evaluate how prepared your business is for an FTC audit:
1. Do you have a Written Information Security Program (WISP)?
A WISP outlines how your dealership protects sensitive customer data. It should include:
- How you identify and assess risks annually
- Internal and external threats to data security
- Preventive steps you're taking to mitigate those risks
If you don't have a WISP — or your document hasn’t been updated since before 2022 — not meeting the current FTC standard.
2. Do you have an Officer-in-Charge (OIC) for your security program?
The FTC requires you to appoint a qualified individual to oversee the design and implementation of your WISP. This person should:
- Understand your dealership’s IT infrastructure
- Be involved from the planning stage of your WISP
- Serve as the point of contact for any regulatory inquiries or audits
This role should not be symbolic. The OIC must be actively engaged and capable of managing day-to-day cybersecurity tasks and long-term strategy.
3. Do you assess your cybersecurity regularly?
Ongoing risk assessments are essential to identify vulnerabilities that could lead to a breach. While your OIC can manage this process, bringing in third-party professionals ensures an objective view.
A strong assessment program should include:
- Network vulnerability scans
- Penetration testing
- Endpoint monitoring
- Reports with clear action steps
Cybercriminals adapt constantly — your defenses must, too.
4. Do you train your employees in cybersecurity?
Security awareness training is now a baseline requirement. Your employees should be educated on:
- Recognizing phishing attacks
- Using strong passwords and multi-factor authentication
- Reporting suspicious activity
Training should be conducted at least annually and refreshed periodically to reflect new threats.
5. Do you vet your third-party vendors?
Many dealerships outsource services—from DMS providers to payroll and marketing. You’re still responsible for safeguarding customer data handled by these partners.
Make sure you:
- Request documentation (e.g., SOC 2, ISO 27001)
- Review their data protection policies
- Maintain a vendor risk register and update it quarterly
READ: 9 Questions to Ask New Vendors About Their Cybersecurity
Ready to implement FTC Safeguards for your business?
Compliance isn’t optional—it’s required by law and essential to protecting your customers and your reputation.
As a Managed Security Service Provider (MSSP), Intelligent Technical Solutions (ITS) helps auto dealerships build and maintain FTC-compliant cybersecurity programs. Our experts can:
- Develop a customized WISP
- Conduct cybersecurity risk assessments
- Train your employees
- Vet your third-party vendors
Don’t wait for a violation to find out you’re not prepared. Schedule a consultation with our IT experts today.
More Resources:
- 10 FTC Safeguard Rule Changes & What It Means for Auto Dealerships
- FTC Safeguards Rule: The Role of an MSP in the Compliance Process
- What are the Main Challenges of FTC Safeguards Rule Compliance?
Topics:
